Skip to content

Distroless Image

Spicy — senior dev territoryCI/CD & DevOps

ELI5 — The Vibe Check

Distroless images are Docker images with NOTHING in them except your app. No shell, no package manager, no ls, no curl — nothing an attacker could use. It's like delivering a package in a transparent box with no tools inside. Secure by subtraction.

Real Talk

Distroless container images, pioneered by Google, contain only the application and its runtime dependencies — no OS package manager, shell, or standard Linux utilities. This minimizes attack surface, reduces CVE exposure, and produces smaller images. Available for Java, Python, Node.js, Go, and .NET.

Show Me The Code

# Multi-stage build with distroless
FROM golang:1.22 AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -o server .

FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/server /
CMD ["/server"]

When You'll Hear This

"Our distroless image is 12MB and has zero CVEs from OS packages." / "You can't shell into a distroless container — that's the point."

Related Terms

Container Scanning

Container Scanning checks your Docker images for known vulnerabilities in OS packages, libraries, and misconfigurations.

intermediateSecurity

Docker

Docker is like a lunchbox for your app.

beginnerCI/CD & DevOps

Multi-Stage Build

Multi-stage builds let you use one Docker image to BUILD your app and a different, tiny image to RUN it.

intermediateCI/CD & DevOps

Supply Chain Security

Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.